@kacheng : are you sure openvpn is running in the tcp scenario (ssh into the router, do a ps and check if the myvpn process is running)? I've had it happen to me a bunch of times that I thought I had it all worked out, but openvpn would immediately exit due to a configuration problem or port that is already in use.

proto tcp-server seems to work!
I must have copied that from an OpenVPN config for an older version of OpenVPN.

I did not have to do any port forwarding. As I understand it OpenVPN 2.0+ can operate on 443 without probs and OpenVPN 2.1+ can even port share with an https server using the port-share servername 443 directive.

Isn't the whole point of having openvpn in the firmware so you can use openvpn in client mode to connect to the openvpn deamon in server mode running on your route? And with all the things you can do with openvpn (and the help of iptables in certain instances), I don't see any application that would require anything else - you can't beat fully transparent access to the net you're connecting to.

Thanks a lot for your work, but I have a problem to tunnel my inet traffic to my VPN clients. OpenVPN can establish a tunnel but i don't recieve any packets from the server. I'm using the following server and client.conf.

For a better comprehension:

Router with Tomato OpenVPN Mod IP: 192.168.2.1
The Port 1194 is forwarded, and the routing settings are also set.

I have a few questions with regard to that config and what you posted:

My friend is using also this config etc. but he is using a NSLU2, and its working.

Click to expand...

Do you mean he's using his slug to connect to your router, or that he has a slug configured and connects to it using his own client PC? If it's the latter, any chance he could temporarily create a client for you for trial purposes so you know there's nothing wrong with OpenVPN on the client box?

Then

local 192.168.2.1

Makes openvpn listen on the local interface 192.168.2.1 which I assume is the local IP of your router (and thus the IP of br0)

server 192.168.10.0 255.255.255.128

Does the following:

Assigns the IP 192.168.10.1/25 to tap0 (which is different from the IP of br0.. so now you have an inteface within a different subnet connected to the same physical bridge but you haven't defined any routing in between so nothing will pass between 192.168.10.x and 192.168.2.x

It will also do the following
Assign IP 192.168.10.x addresses so your client gets an IP address from openvpn and not the dhcp server already running on the tomato (I don't really see the point in openvpn giving out IPs in a bridged config.. after all bridged is supposed to be transparent so why not have one dhcp handle it all?)

Then you have

push "dhcp-option DNS 192.168.2.1"

Which tells the client to use 192.168.2.1 as DNS server..
and
push "redirect-gateway def1"

what's def1?
(and while we're at it, what's up with vpn_gateway in the client config?)

Now I assume you want to use your tomato as default gateway.. so def1 would be 192.168.2.1.. so your DNS packets go through the tunnel and end up on the bridge, and the dhcp may even try to reply (not sure about that as I don't know the components), but it has no route to the net 192.168.10.x.. so nothing will get back. Likewise for any traffic that's supposed to go to your net..

Finally, in the client config you have

route 192.168.2.0 255.255.255.0 vpn_gateway 3

Apart from the vpn_gateway that I already mentioned.. there's no point in adding routes from client and server.. you already push the default gateway to the client upon connection.. so all the traffic will be routed through your tomato anyway.

@edit: if you want to work with different subnets, I think you should use tun mode - bridge mode is meant for something else (see the documentation).

My Friend has a slug and and he is running an OpenVPN server. His config is so far running and stable! So I put his config on my tomato and thought this would be enough . (I changed certainly some variables)

His first Problem before getting OpenVPN on the debian slug working was, that he wasn't using this command "echo "1" > /proc/sys/net/ipv4/ip_forward". But now after changing this small command, everthing is working. We can play over his VPN some Games, I can use his Internet Connection etc. And that is all what I like to have, but using my tomato instead of a NSLU2

Back to my tomato config:
I reconfigured a litte part and my friend can connect now to my VPN but he can't still use either my Internet Connection. What do I missed here? It can only be a routing Problem!?

I attached the new Server and Client config and a Picture auf my Advanced routing settings.

Attached Files:

If you're not going to correct the part that I wrote about (tap => bridged => don't use another subnet for openvpn), then at least explain in detail what you want to do and what this is about with the 192.168.2 and 192.168.10 networks.. (and as a little help.. if you want machines connected via vpn be in the 192.168.10.x subnet and locally connected clients to be in the 192.168.2.x subnet then you are most definitely looking at a tunnel interface and not a bridge interface and should follow the instructions on how to set up the tun interface on this wiki page.)

You also have duplicate lines in your server configuration:

keepalive 15 60
keepalive 10 60

And I have some doubts about other stuff.. e.g. you select the blowfish cypher but that's the default so specifying it is redundant (and as I said, specifying the local IP address as listening address is redundant too.. tap0 is bridged to the untagged part of the switch so nothing ever goes out vlan1 anyway.. so unless you have different internal subnets there's no point in specifying a listening address).

Last but not least.. forget that it works for your friend.. the Slug is a different animal and you don't know what he might have done with iptables and routing (and I assume the slug is behind his router which makes it even more different from running openvpn directly on your router). Instead, first figure out exactly what you want to do (network topology is a crucial part of that), then build it from scratch following the examples in the dd-wrt wiki and don't try to go headfirst through a wall (like using a bridged interface and then try to force it to route something - using a tap interface means you are directly connected to your 192.168.2.x network... if you want 192.168.10.x for VPN clients.. use tun - and I know I'm repeating myself but I cannot stress the importance of this difference enough).

Im currently running latest Tomato with OpenVPN (1.14.1291) and have configured it with static Key. Everything works as expected fresh after reboot and client can connect to my router. But after few hours without connection myvpn process dies so nobody can connect. When I start it again from console it works again without problems until next few hours. Anybody had such problems? What can i do to prevent it?

Im currently running latest Tomato with OpenVPN (1.14.1291) and have configured it with static Key. Everything works as expected fresh after reboot and client can connect to my router. But after few hours without connection myvpn process dies so nobody can connect. When I start it again from console it works again without problems until next few hours. Anybody had such problems? What can i do to prevent it?

I discovered what should be added to server config to remove 60 seconds restarting. My static key config is from third post in this thread and is with parameter --keepalive 10 60. So after 60 seconds with no link it restarts server.

But after consulting Static Key Mini-HOWTO on OpenVPN site I discovered that I need --ping-timer-rem parameter. As OpenVPN 2.1 manual says:

--ping-timer-rem - Run ping timers only if we have a remote address. Use this option if you are starting the daemon in listen mode (i.e. without an explicit --remote peer), and you don't want to start clocking timeouts until a remote peer connects.

Click to expand...

Now my server works without restarting every minute - time will show if it will work longer with it.

UPDATE: With --ping-timer-rem myvpn process is rock-solid since 2 days

When I used the default configuration at the beginning of the thread I was able to connect to the VPN but devices on the LAN behind the VPN weren't able to connect to the internet. I tried dd-wrt and that worked, then I tried OpenWrt and couldn't get that to work either. The difference was the dd-wrt was using the route-up and route-down scripts, so I implemented the route-up and route-down in mine with success.

I am using the default UDP Port 1194 for OpenVPN but feel free to change it to what ever you like.

4. Click Save

5. Reboot your router and you should have a VPN connection with internet behind the tunnel.

Please be aware that the above was just a guide to compliment Roadkills instructions at the beginning of the thread.

This script works great for me and I even made VoIP calls thru the tunnel with no problem. From my Firewall I also have a SNAT to an external IP which correctly shows up when I go to http://www.whatismyip.com.

Connecting to a Server behind the Tunnel needs your help!
I am able to connect to my router's web interface on the public IP. However, I have a server (192.168.1.2) behind the VPN on the network 192.168.1.0 255.255.255.0 that I am trying to connect to using port 8001. I have redirected the port 8001 to Port 80 on 192.168.1.2 in the router under Port Forwarding >> Basic but I am not able to connect to it. Maybe I have overlooked something but this works fine outside of the VPN but need to be able to connect to it inside of the tunnel.

I have redirected the port 8001 to Port 80 on 192.168.1.2 in the router under Port Forwarding >> Basic but I am not able to connect to it. Maybe I have overlooked something but this works fine outside of the VPN but need to be able to connect to it inside of the tunnel.

Click to expand...

The way I understand it, the port forwarding works by adding certain iptables rules to allow communication between

wan-iputside port <-> specified-lan-ip:inside port

Your tun0 inteface is bridged onto br0, which is on the LAN side of your router.. so the port mapping you have defined (on the openvpn server I presume.. network diagrams always help if you want to talk about a routed scenario) won't come into play.

OK, so VPN or no.. which of all those links has the SDMod support? Been waiting for this for some time now and would love to finalize it.

**Already have the mod installed, I just dumped another popular firmware for Tomato rock solid stability.

Scratch that, found it. Some issues mounting BUT if it works like the other mods I will have to format outside the box and then try. Will let you know if that is the case or not.

***Scratch, 2 cards both formatted outside the unit reset config and enabled and mount fails on both. Logs and dmesg yield nothing about mmc at all. Tell me what you need and I'll get it hreality@gmail.com). Might need a feature similar to another firmware.. where you can manually set the GPIO numbers for CS, D0, D1 & CLK

Also, not too fond of the green on black etc. but would love to see a "Red Tomato" then I can have the office red and the livingroom/xbox green

It 'could' be done but there are a few things missing.
1. I have yout to see a complete dum-dum how to guide for compiling.
2. The size of a VM env. would be the OS etc. which could be HUGE
3. Hosting for such a thing (bandwidth considerations etc.)

I haven't tried to compile Roadkill's mod but first you need to be able to compile the Linksys firmware and then Tomato and then the Tomato mod. The tricky step is having a Linux environment will all the right tools installed in the expected places, then building the firmware is easy!

If you have a spare old PC I can recommend a single CD distro called VectorLinux VL5.8-SOHO-final.iso - which doesn't need any extras installed to be able to build firmwares (it also can recompile its own kernel from included sources). VL 5.9 didn't work for me, as it uses a later version of gcc/make. I tried a few others but gave up as too tricky to configure. The above VL 5.8 install has ssh/samba so doesn't need a keyboard/monitor - but my P3-560 is a bit slow...

Is there any way to detach serial port 0 (/dev/tts/0) from Console (Terminal, BusyBox....)??? In openWRT there is inittab file, where I can comment one line and console is detached. But OpenWRT is not stable on my Linksys WRT54GL

Its something over the GPIO pin settings.. I had to use non defaults when I used WRT (sorry I said a bad word). Current I think was 1.4 on front page refused to mount orformat, external format still failed mounting.

just change the soldering and you should be fine. autodetection worked for me. if you want i can try to figure out my gpio assignments

Click to expand...

Because the pinout on the board for the 2.2 was different (per OpwenWRT wiki). I get a chance I'll give mine a confirmation look and see what I can see. Has bee nawhile since I actually went in and messed with the hardware side.

The way I understand it, the port forwarding works by adding certain iptables rules to allow communication between

wan-iputside port <-> specified-lan-ip:inside port

Your tun0 inteface is bridged onto br0, which is on the LAN side of your router.. so the port mapping you have defined (on the openvpn server I presume.. network diagrams always help if you want to talk about a routed scenario) won't come into play.

Click to expand...

Let me explain further:

It appears that when my VPN is connected I am not able to access my router's web interface or ssh from it's public IP. However, I can access the web interface and ssh through the vpn tunnel. I can also connect to any other device that is on the LAN behind the tunnel.

guys I'll post 1.16 soon it's already done and I also upgraded busybox to version 191 and located the bug which caused all the dhcp client issues from version 1.13+ it's now working perfectly I'll post it within a week :grin:

Attached Files:

So as I said, your setup doesn't really get you where you want to go.. what you should be able to do now is access http://1.2.3.4:8001 and that should get you to your VoIP device. The port forwarding always forwards ports between the WAN (VLAN1) and LAN (br0).. you want tun0 to br0 and you cannot do that via the web GUI.

Some questions: Do you have routing and firwalls properly set up on all locations (your PC client needs to know the routes to access machines on the branch office LAN, your server needs to route between the two VPN tunnels? Did you check out the routed branch office example in the DD-WRT Wiki? It mentions how you set this all up.

Also, I'm wondering.. what exactly do you want to expose to your PC client? Just access to the VoIP device on that single port and nothing else (that's going to involve quite some configuration.. the openvpn site has an example on how to set up different clients with different permissions.. it's quite a PITA since openvpn alone cannot do user management.. you need to resort to special IP ranges and iptables commands to get this done) or would it be okay to simply expose the ip range of the branch office?

So as I said, your setup doesn't really get you where you want to go.. what you should be able to do now is access http://1.2.3.4:8001 and that should get you to your VoIP device. The port forwarding always forwards ports between the WAN (VLAN1) and LAN (br0).. you want tun0 to br0 and you cannot do that via the web GUI.

Click to expand...

I am not able to access the router's web interface outside the tunnel on http://1.2.3.4:8080 or https://1.2.3.4 either even though that is enabled for remote access but I can thru the tunnel. My concern is that since the router is in a "very" remote location (5,000 miles away) I need to be able to access it should the vpn go down.

I create an ssh tunnel then connect via that tunnel as a proxy with Firefox or IE I can access the web interface of the Voip Gateway but I am not able to do so via the vpn or via the routers public IP example http://1.2.3.4:8001

Some questions: Do you have routing and firwalls properly set up on all locations (your PC client needs to know the routes to access machines on the branch office LAN, your server needs to route between the two VPN tunnels? Did you check out the routed branch office example in the DD-WRT Wiki? It mentions how you set this all up.

Click to expand...

I can connect to the router once my Laptop is connected to the VPN as well. I even have a pubic IP assigned to the router using SNAT on the OpenVPN Server which works as well.

Also, I'm wondering.. what exactly do you want to expose to your PC client? Just access to the VoIP device on that single port and nothing else (that's going to involve quite some configuration.. the openvpn site has an example on how to set up different clients with different permissions.. it's quite a PITA since openvpn alone cannot do user management.. you need to resort to special IP ranges and iptables commands to get this done) or would it be okay to simply expose the ip range of the branch office?

Click to expand...

My PC is being used to manage the devices on the remote site. As I mentioned before I am able to access the router on 172.16.8.29 once my Laptop is connected to the VPN. However I believe the problem may be Tomato's firewall configuration but I am not 100% sure.

Is the Tomato's firewall enabled to block everything by default? See my script below:

I didnt make use of a GPIO 2 as there was no montion of one for the 2.2.... guess Ima have to take a chance and do some poking around and see if I can actually find a 2 instead of my 5

Click to expand...

Use of GPIO 2 is typically limited to just the WRT54GL because for some reason they removed GPIO 5 from the board on this model. So technically your configuration would be considered "standard" and ours is the freak.

I admit, some sort of support for choosing your own GPIO configuration should be supplied.

But, since this does work with 2, maybe soldering a toggle switch between 2 and 5 might help for any future problems. Then you can just switch from one to the other without desoldering.

Edit:

Roadkill, any chance to clean up the original post? Its starting to get quite confusing for some people. There seem to be different versions floating around and we can't figure out what functionality is in what file.

well builds that are symboled with the SerialMod have Setrial,Nanocom,Mgetty added to them otherwise they are the same.

Click to expand...

Last clarification:

Does that include VPN as well or is the VPN only included in the VPN/Serial version. I only ask because I'm trying to keep everything as minimal as possible since all I really need is the SD and VPN mods. The rest just takes up space.

Does that include VPN as well or is the VPN only included in the VPN/Serial version. I only ask because I'm trying to keep everything as minimal as possible since all I really need is the SD and VPN mods. The rest just takes up space.

Thanks.

Click to expand...

Yes SerialMod is bundled with VPN/SDMMC as well

Victek,drelkata: I added the NVramshow link to the tree on the left side please download the firmware again.

I'm lost ^^;
I read everything in this thread, but I couldn't find an answer for my problem.
I have 2 networks with 192.168.1.* addresses (home and work), but I don't want to bridge them.
One of them has the VPN server, and I'd like to create a new network (like 10.8.0.*) when I connect to it.
I can connect 2 computers to the VPN, but I have a problem to reach each computer.

I've upgraded my router to 1.16.1374, but i've got a problem.
The new version lacks ext2 module, so i'm unable to mount my sd card.

@roadkill, maybe you can add it?

Thanks

Click to expand...

I updated the binary and the source code today to include the missing fs modules you can re download
everything should work as expected, also I want to know if the dhcp issues have been really fixed now
please post feedback if you have any troubles.
RK
:grin:

I updated the binary and the source code today to include the missing fs modules you can re download
everything should work as expected, also I want to know if the dhcp issues have been really fixed now
please post feedback if you have any troubles.
RK
:grin:

Click to expand...

Thanks for the update.
Fs modules are ok now. But there is still a little problem:

I can mount the SD card only from command line.
Nothing happened if i enabled it from GUI.

To be sure i have erased nvram and tried again.
Also downgraded to 1.14.1291 and there it worked well.

So right now i had to put the insmod and mount commands to init script.

Has anyone tried using OpenVPN on port 443? I have OpenVPN with static key working fine on port 1194, but when I change the port number in the settings (firewall script, wan up script, and client OpenVPN config) to 443, and make sure the https admin access is something different than 443, I get the following error from my OpenVPN client: